Vulnerability Scanning Services/Sites

Part of any proper security maintenance regime is regular monitoring of an organization’s security posture and its degree of vulnerability to known exploits, attacks, back doors, and other potential sources of illicit or unauthorized access or entry to systems and networks. This brings up what I like to call the “Inverse Golden Rule of Security” which can be succinctly stated as: “Do unto yourself before others can do unto you.”

To the end of assessing your systems’ and networks’ vulnerabilities to outside probing and attack, nothing works better than a thorough, well-designed vulnerability scan.

Vulnerability scans are normally conducted using any of a set of well-known tools and utilities to try to “footprint” systems and networks (to identify operating systems, devices, and versions in use to narrow down the list of applicable and potential vulnerabilities before trying them out), and then to systematically probe for signs of weakness based on system and network behavior, and attempts to exploit vulnerabilities that may or may not succeed in the environment being scanned. Using a vulnerability scanner, sometimes known as a security scanner, has become a routine part of security maintenance and related security audit procedures.

While commercial scanning services and run-it-yourself scanning software are widely available, you might be amazed by what you can learn about your systems and networks using free, cheap, or complimentary Web-based security scans. Steve Gibson of Gibson Research (and SpinRite fame) operates a pretty useful set of services called Shields UP!!, Probe My Ports, and LeakTest through his Web site at http://grc.com that provide reasonably quick feedback on a notorious but narrow set of potential vulnerabilities (most related to Windows systems). Likewise, in exchange for registration information, a quick hop to http://www.securityspace.com for their Trial Audit will scan a wide range of potential vulnerabilities, and make a Web-based report available to you within an hour or two.

The latter service from SecuritySpace is supposed to entice you to sign up for one of their various regular service offerings, which range in price from the very reasonable (a little over $20 a month for a yearly subscription for monthly audits) to the still not stratospheric price of $200 a month (for as many on-demand audits as you like). These services are useful, because they provide quick snapshots of what your systems and networks look like to outsiders, but they can also lead to increased security awareness, quick response to new vulnerabilities, and better overall security posture.